In Development Release Notes

The development release notes are generated by AI and may contain errors.

Version 2026.6

This release focuses on security hardening across auth and demo views, adds team-scoped Celery tooling, and includes a number of smaller improvements and fixes.

Security hardening

A pass over a few endpoints to close off ways they could be misused:

Logout now requires a POST. A small JavaScript shim (logout.js) converts logout links into POST submissions so a stray <img src="/accounts/logout/"> (or a link prefetcher) can no longer log users out via GET. When JS is disabled, allauth’s confirmation page is used as a fallback.
Email confirmation now requires a POST. The confirmation page auto-submits the form via JavaScript so real users keep the one-click experience, while email security scanners and prefetchers that don’t run JS won’t silently consume the confirmation token. A spinner is shown while the form submits.
Restricted the simulate_error view to superusers. Previously it was publicly accessible.
Documented that the API schema and docs endpoints (/api/schema/, Swagger, ReDoc) are public by default, with inline guidance on how to restrict them (e.g. permission_classes, gating on DEBUG, or removing them).
Avatar upload validation failures now return a 400 instead of a 403.
Added a baseline set of pre-commit hooks (YAML check, end-of-file, trailing whitespace, merge-conflict, large-files).

Team-scoped Celery tooling

New helpers to make it easier to write team-aware background tasks and lookups without forgetting to filter by team:

Added a @team_task decorator (apps/teams/celery.py) for team-scoped Celery tasks. It treats the task’s first argument as a team_id (positional or keyword), loads the team, and runs the task body inside the team context so the team-scoped objects manager just works. Failing to load the team raises Team.DoesNotExist by design rather than silently no-op’ing.
Added a get_team_object_or_404 shortcut (apps/teams/shortcuts.py) that scopes get_object_or_404 to the current team context, avoiding accidental cross-team lookups via the unfiltered default manager.
Added tests for both.

Other Changes

Added

Markdown rendering now supports tables, via the markdown TableExtension.
Added a pegasus-projects Claude Code skill (shipped into generated projects) covering the new projects CLI commands.

Changed

Refactored get_image_url meta-tag handling. Default and page images are now resolved through static() consistently, and absolute http(s) URLs are passed through untouched.
Gated the dashboard app behind paid tiers (URLs and app are only included on non-free configurations).
When a user changes their email to an address they already own, the primary allauth EmailAddress is now kept in sync (the new-email case was already handled by the confirmation signal).
The admin DB MCP tool now bundles mcp-alchemy into the virtualenv so it works in production without uvx, and uses psycopg3 instead of psycopg2.
Marked package.json as private and removed placeholder author/description/homepage fields.
Deployment config now wires through social login secrets, Stripe live-mode, and log levels across the additional deploy targets.
CI now uses uv sync --frozen to match local development.
Updated AI rules (project Python version, PEP 758 except syntax, multi-line template comments) and the resolve-pegasus-conflicts and upgrade-pegasus skills.
Bumped the CLI versions.

Fixed

Added min-w-0 to the app content flex item to prevent content overflow.
Narrowed the admin/health-check mypy overrides and tightened a few type annotations.

Upgrading

Logout and email confirmation now require POST. Pegasus handles this for you via the bundled logout.js shim and the auto-submitting confirmation page, but if you have custom logout links or a custom email-confirmation template, make sure they submit via POST (with a CSRF token) rather than relying on GET.
If you have any custom Celery tasks that operate on team-scoped models, consider migrating them to the new @team_task decorator and get_team_object_or_404 shortcut.